"There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The Parliament had requested for fines to reach €100 million or 5% of the company’s global annual turnover. The agreed fines are the compromise that was reached."
That's not necessarily the case. Consider two firms one that has $1 billion in revenue and one that has $100 million in revenue. You'd argue that the bigger firm is getting off easier with a $20 million fine vs the smaller firm's $10 million because the fine is 2% instead of 10%.
OTOH, consider that the bigger firm is made up of a collection of 10 services, each earning $100 million. The breach is only in one business unit - is the global revenue a fair metric if the breach is not global?
It will be interesting to see how this is enforced against giant corporations when (inevitably) some small piece of data is missed on some small service in a business unit nobody at the c level has ever heard of.
https://www.gdpr.associates/data-breach-penalties/
"There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The Parliament had requested for fines to reach €100 million or 5% of the company’s global annual turnover. The agreed fines are the compromise that was reached."